1.\" $OpenBSD: etherip.4,v 1.6 2018/01/12 04:36:44 deraadt Exp $ 2.\" 3.\" Copyright (c) 2015 YASUOKA Masahiko <yasuoka@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.\" The following requests are required for all man pages. 18.\" 19.Dd $Mdocdate: January 12 2018 $ 20.Dt ETHERIP 4 21.Os 22.Sh NAME 23.Nm etherip 24.Nd EtherIP tunnel interface 25.Sh SYNOPSIS 26.Cd "pseudo-device etherip" 27.Sh DESCRIPTION 28The 29.Nm 30interface is a pseudo-device for tunnelling Ethernet frames across IP[46] 31networks using RFC 3378 EtherIP encapsulation. 32.Pp 33An 34.Nm 35interface can be created using the 36.Ic ifconfig etherip Ns Ar N Ic create 37command or by setting up a 38.Xr hostname.if 5 39configuration file for 40.Xr netstart 8 . 41It must be configured with the addresses used for the outer header. 42This can be done using 43.Xr ifconfig 8 Ns 's 44.Ic tunnel 45command (which uses the 46.Dv SIOCSLIFPHYADDR 47ioctl). 48.Pp 49The 50.Nm 51interface must be made a member of a 52.Xr bridge 4 . 53The 54.Xr sysctl 2 55variable 56.Dv net.inet.etherip.allow 57must be set to 1, unless 58.Xr ipsec 4 59is being used to protect the traffic. 60Ethernet frames are then encapsulated and sent across the network 61to another 62.Xr bridge 4 , 63which decapsulates the datagram and processes the resulting Ethernet 64frame as if it had originated on a normal Ethernet interface. 65This effectively allows a layer 2 network to be extended from one point to 66another, possibly through the Internet. 67This mechanism may be used in 68conjunction with IPsec by specifying the appropriate IPsec flows 69between the two bridges. 70To only protect the bridge traffic between 71the two bridges, the transport protocol 97 (etherip) selector may be 72used in 73.Xr ipsec.conf 5 . 74Otherwise, the Ethernet frames will be sent in the clear between the 75two bridges. 76.Sh EXAMPLES 77Given two physically separate Ethernet networks, a bridge can 78be used as follows to make them appear as the same local area network. 79If bridge1 on network1 has the external IP address 1.2.3.4 on em0, 80bridge2 on network2 has the external IP address 4.3.2.1 on em0, and 81both bridges have em1 on their internal network (network1 and network2, 82respectively), the following configuration can be used to bridge 83network1 and network2. 84.Pp 85First create the bridge interface, 86adding the encapsulation interface and internal Ethernet interface 87to the bridge interface: 88.Bd -literal -offset indent 89# ifconfig bridge0 add etherip0 add em1 90.Ed 91.Pp 92Create and configure the etherip0 interface: 93.Bd -literal -offset indent 94(on bridge 1) # ifconfig etherip0 tunnel 1.2.3.4 4.3.2.1 95(on bridge 2) # ifconfig etherip0 tunnel 4.3.2.1 1.2.3.4 96.Ed 97.Pp 98Create Security Associations (SAs) between the external IP address of each 99bridge and matching ingress flows by using the following 100.Xr ipsec.conf 5 101file on bridge1: 102.Bd -literal -offset indent 103esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \e 104 authkey file "auth1:auth2" enckey file "enc1:enc2" 105flow esp proto etherip from 1.2.3.4 to 4.3.2.1 106.Ed 107.Pp 108Now load these rules into the kernel by issuing the 109.Xr ipsecctl 8 110command: 111.Bd -literal -offset indent 112# ipsecctl -f ipsec.conf 113.Ed 114.Pp 115Appropriate 116.Xr ipsec.conf 5 117for bridge2: 118.Bd -literal -offset indent 119esp from 4.3.2.1 to 1.2.3.4 spi 0x4243:0x4242 \e 120 authkey file "auth2:auth1" enckey file "enc2:enc1" 121flow esp proto etherip from 4.3.2.1 to 1.2.3.4 122.Ed 123.Pp 124And load them: 125.Bd -literal -offset indent 126# ipsecctl -f ipsec.conf 127.Ed 128.Pp 129To use dynamic (as opposed to static) keying, 130use this 131.Xr ipsec.conf 5 132on bridge1: 133.Bd -literal -offset indent 134ike esp proto etherip from 1.2.3.4 to 4.3.2.1 135.Ed 136.Pp 137And on bridge2: 138.Bd -literal -offset indent 139ike esp proto etherip from 4.3.2.1 to 1.2.3.4 140.Ed 141.Pp 142Bring up the internal interface (if not already up) and encapsulation 143interface: 144.Bd -literal -offset indent 145# ifconfig em1 up 146# ifconfig etherip0 up 147.Ed 148.Pp 149Finally, bring the bridge interface up and allow it to start processing 150frames: 151.Pp 152.Dl # ifconfig bridge0 up 153.Pp 154The internal interface on each bridge need not have an IP 155address: the bridge can function without it. 156.Pp 157Note: It is possible to put the above commands in the 158.Xr hostname.if 5 159files, using the 160.Sq !\& 161operator. 162.Sh SEE ALSO 163.Xr sysctl 2 , 164.Xr bridge 4 , 165.Xr inet 4 , 166.Xr inet6 4 , 167.Xr ipsec 4 , 168.Xr hostname.if 5 , 169.Xr ifconfig 8 , 170.Xr netstart 8 171.Sh STANDARDS 172.Rs 173.%A R. Housley 174.%A S. Hollenbeck 175.%D September 2002 176.%R RFC 3378 177.%T EtherIP: Tunneling Ethernet Frames in IP Datagrams 178.Re 179.Sh HISTORY 180The 181.Nm 182device first appeared in 183.Ox 5.9 . 184.Sh AUTHORS 185The 186.Nm 187driver was written by 188.An Kazuya Goda Aq Mt goda@openbsd.org . 189